Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > How to close the unnecessary Ports

Reply
Thread Tools

How to close the unnecessary Ports

 
 
Nick
Guest
Posts: n/a
 
      10-04-2005

"Moe Trin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In the Usenet newsgroup alt.computer.security, in article
> <ObX%e.55886$tl2.29260@pd7tw3no>, Nick wrote:
>
> >Thanks all of you for taking your time to help me, a beginner, with the
> >ports. I use only one workstation running Win 2K at the moment.

>
> >How should I configure the filtering settings, so it will be enough just
> >to access the internet, my ftp server, my e-mails and the newsgroup?

>
> <cringe! "beginner" + "server" != "fun">
>
> >I am sure this is one of the most stupid questions that has ever been
> >posted here, but I am in a learning process and I find this group very
> >supportive.

>
> The way to learn _is_ to ask and read. As for the "most stupid question",
> sorry - not even a contest. You've got a _long_ way to go to get into the
> "stupid" category.


That's deep!


>
> >All I know is that TCP/UDP are in the transport layer of the
> >OSI model, IP is in the networking layer,

>
> Close enough - though not mandatory to know. See RFC1180, available on
> a web site near you.
>
> 1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. Jan-01-1991.
> (Format: TXT=65494 bytes) (Status: INFORMATIONAL)



Thanks! I found the site and I am going to read it.(
http://www.faqs.org/rfcs/rfc1180.html )
I went over some CBT's about TCP/IP and "Subnet mask" was a tough nut to
crack...

>
> >and some of the necessary ports I need are 20, (21), 25, 53, 80, 110,
> >119 and 443.

>
> No actually. You have just one server listed above, which is FTP. I'm
> a bit concerned why you feel you should be serving files, but this can
> be locked down as needed. FTP uses just two ports inbound (21 for control
> and passive mode data, 20 for active mode data). NONE - I repeat NONE of
> the rest of the ports need be open _inbound_ and should be blocked.


As a matter of fact, I meant the FTP site from which I use the service
I do not serve files. Now, I can see my ignorance regarding the relationship
between ports, users, and servers.

>
> People make the mistake thinking that if they want to _use_ service FOO
> as a client, then they have to open that port number INBOUND to their
> system. Not the case - the _server_ lives on that port, while your client
> uses a random number in the range 1025 to <65535.
>
> Port 25. You connect to your ISP's mail server port 25 (on your end, it's
> a random port number above 1024) to _send_ mail.
>
> Port 53. You connect to port 53 on the ISP's DNS servers to resolve names.
> Again, on your end, it's a random port above 1024. This is the only port
> where you MAY use both UDP and TCP. TCP is only used when the data
> returned from the name server is larger than 511 bytes (about 7 lines of
> text - rare for windoze).
>
> Port 80. You connect to port 80 on remote servers to get web pages. Your
> end is a random number above 1024.
>
> Port 110 (or possibly port 143) is the remote port to get your mail.
>
> Port 119 is the remote port you connect to to get news.
>
> Port 443 is the remote port for Secure HTTP. As with all of the
> connections to remote server ports - your end is a random number above
> 1024.
>
> >Hope to make you guys laugh

>
> Remember what we said - no services offered, means no ports open. If you
> did not offer FTP, you would need to open NONE of the ports below 1025
> inbound.


Thanks for helping me to come to my senses


 
Reply With Quote
 
 
 
 
Hairy One Kenobi
Guest
Posts: n/a
 
      10-04-2005
"Nick" <(E-Mail Removed)> wrote in message
news:Y9m0f.70052$oW2.49792@pd7tw1no...

<snip>

> I went over some CBT's about TCP/IP and "Subnet mask" was a tough nut to
> crack...


Probably too late, but this /might/ help:
http://www.codecutters.org/resources/ipaddresses.html

H1K


 
Reply With Quote
 
 
 
 
Nick
Guest
Posts: n/a
 
      10-04-2005

"Hairy One Kenobi" <abuse@[127.0.0.1]> wrote in message
news:uPv0f.5417$(E-Mail Removed)...
> "Nick" <(E-Mail Removed)> wrote in message
> news:Y9m0f.70052$oW2.49792@pd7tw1no...
>
> <snip>
>
> > I went over some CBT's about TCP/IP and "Subnet mask" was a tough nut to
> > crack...

>
> Probably too late, but this /might/ help:
> http://www.codecutters.org/resources/ipaddresses.html


Thanks!

Regarding ports, I also found helpful Shieldsup!( www.grc.com ) netstat-ano
and PID (task manager), as well as MBSA
(http://www.microsoft.com/technet/sec.../mbsahome.mspx ).

Nick


 
Reply With Quote
 
Unruh
Guest
Posts: n/a
 
      10-04-2005
"Hairy One Kenobi" <abuse@[127.0.0.1]> writes:

>"Nick" <(E-Mail Removed)> wrote in message
>news:Y9m0f.70052$oW2.49792@pd7tw1no...


><snip>


>> I went over some CBT's about TCP/IP and "Subnet mask" was a tough nut to
>> crack...


To determine if an address is on a subnet, the address is bitwise anded
(1+1=1 and everything else is 0) with the subnetmask. If the result is the
same as the subnet address, then that address is part of that subnet. If
not then not.

Thus if the address is say 10110101 , the subnet address is 10110000 and
the mask is 11110000 then 10110101 and 11110000=10110000 which is the same
as the subnet address. On the other hand had the subnet mask been 11111100
instead, then 10110101 and 11111100= 10110100 which is not the same as the
subnet address so that address would not be on that subnet (Note that
actual IP addresses have 32 bits, not 8, but the principle is the same.)
It may or may not be necessary that all of the 1 bits in the subnetmask be
contiguous.

>Probably too late, but this /might/ help:
>http://www.codecutters.org/resources/ipaddresses.html


>H1K



 
Reply With Quote
 
Moe Trin
Guest
Posts: n/a
 
      10-04-2005
In the Usenet newsgroup alt.computer.security, in article
<Y9m0f.70052$oW2.49792@pd7tw1no>, Nick wrote:

>"Moe Trin" <(E-Mail Removed)> wrote


>> The way to learn _is_ to ask and read. As for the "most stupid question",
>> sorry - not even a contest. You've got a _long_ way to go to get into the
>> "stupid" category.

>
>That's deep!


It's also true.

>Thanks! I found the site and I am going to read it.(
>http://www.faqs.org/rfcs/rfc1180.html )
>I went over some CBT's about TCP/IP and "Subnet mask" was a tough nut to
>crack...


Trying not to scare you, and to keep this short. Network masks are used
as a routing decision mechanism to tell your computer where to send those
packets. Masks are binary values expressed as hexadecimal or decimal
numbers. Binary:

1 Read these numbers vertically
2631
84268421

10000000 = 128
11000000 = 192 (128 + 64)
11100000 = 224 (128 + 64 + 32) and so on. Oh, and
10101001 = 169 (128 + 32 + 8 + 1)

Network masks use a _contiguous_ series of '1's (which means that the
last one [169] is not a valid mask value), so with the eight bits I
showed above, there are only eight valid numbers - 128 (0x80 in hexadecimal)
192 (0xC0), 224 (0xE0), 240 (0xF0), 248 (0xF, 252 (0xFC), 254 (0xFE)
and the 'all ones' case of 255 (0xFF). Don't forget the all zeros case
of 0 (0x00). The numbers in parentheses are hexadecimal, just another
way of describing a number. As the name implies (hexa = 6 + decimal = 10),
there are sixteen valid values, shown here with the binary equivalent:

0x0 0000 0x3 0011 0x6 0110 0x9 1001 0xC 1100 0xF 1111
0x1 0001 0x4 0100 0x7 0111 0xA 1010 0xD 1101
0x2 0010 0x5 0101 0x8 1000 0xB 1011 0xE 1110

So, you count 0x8, 0x9, 0xA, 0xB... 0xE, 0xF, 0x10, 0x11 and so on. What
comes after 0x99? 0x9A of course. But after 0xFF, you reach 0x100. The
'0x' prefix is to show that these should be read as hexadecimal - imagine
the confusion of 0x22 (34 in decimal) verses '22'. Binary numbers are often
shown in strings of 4 or eight digits (with leading zeros if needed) for
the same reason.

Computers think in binary. We use other number schemes to make life easier
for us. Humans count in decimal, so binary numbers are a pain in the a$$.
We also don't like long strings of numbers (but computers don't care). The
IP address of this computer is 192.168.1.117 as far as humans are concerned,
but the computer sees this as 11000000 10101000 00000001 01110101 (I put
spaces in there so that you can see the binary to decimal conversion).

The masks as mentioned are used to make routing decisions. The concept is
that where there is a '1' in the mask, the numbers have to be the same for
some condition to be true. This 'condition' might be 'local' or 'another
network'. To see how this is used, here is a UNIX routing table:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.2.0 192.168.1.6 255.255.255.0 UG 0 0 11695 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 420 lo
0.0.0.0 192.168.1.248 0.0.0.0 UG 0 0 2004 eth0

Notice that the first two use a mask (here labeled Genmask) of 255.255.255.0.
The routing decision for the first line is 'local' or not.

Me 11000000 10101000 00000001 01110101 (192.168.1.117)
Him 11000000 10101000 00000001 10000101 (192.168.1.133)
MASK 11111111 11111111 11111111 00000000 (255.255.255.0)

You can see that the first 24 ones and zeros of 'Me' and 'Him' are the
same, as the mask demands, so this is a 'local' route. OK, what about

Me 11000000 10101000 00000001 01110101 (192.168.1.117)
Her 11000000 10101000 00000010 10101000 (192.168.2.16
MASK 11111111 11111111 11111111 00000000 (255.255.255.0)

Here, you can see that the last two bits in the third set don't match,
so the match fails, and this is not a 'local' route. If you work a
little more, you'd notice it does match the second line in the routing
table above, so the computer should send the packet to 192.168.1.6
which is a router, and let it forward the packets. Now, what about

Them 10101000 00000001 10000101 01110101 (168.1.133.117)

If you study this real hard, you see that this does not match the
local route, the route reached by 192.168.1.6, or the third route
(127.0.0.0/8 - the /8 notation merely noting the number of consecutive '1's
in the network mask). But it does match the last route - the one where
the mask is all zeros. (You must match the bits where there is a '1' in
the mask - here there are none, so 'everything' matches.) If everything
matches, why worry about the other routes? Efficiency. Package delivery
services like FedEx work by sending everything to one point, where it's
sorted and sent to a destination, BUT even they don't send packages from
you to your neighbor to that central sorting point. Actually, _you_ may
just deliver it yourself, and save the fee. Same concept.

>Thanks for helping me to come to my senses


Honestly, computer networking is based on a number of fairly simple ideas.
The problems are that these are not obvious, and that there are a lot of
those ideas - many you don't have to know about - that have to work just
so for the overall ball of wax to work without apparent user input.

Old guy
 
Reply With Quote
 
Nick
Guest
Posts: n/a
 
      10-17-2005

"Winged" <(E-Mail Removed)> wrote in message
news:55d39$433f17a1$18d6d959$(E-Mail Removed)...
> Nick wrote:
> > Hi
> >
> > As there are over 65000 ports in the TCP/IP stack, which ones are the

most
> > necessary ports for a home user and how to close the rest of the ports?

My PC
> > is connected to internet via a router and a cable modem. I run ZA

firewall
> > and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a ports link

I
> > found online:
> > http://www.iss.net/security_center/a...ts/default.htm


> TCP/IPv4 connection consists of two endpoints, and each endpoint
> consists of an IP address and a port number.


This is called "a socket", right?

> Similarly, for UDP/IP, when a datagram is sent by a client from an
> unbound port number, an ephemeral port number is assigned automatically
> so the receiving end can reply to the sender.


> To restrict what ephemeral ports windows will use to listen on:
>
> http://support.microsoft.com/default...b;en-us;300083


The above link suggests:
5. In the Port range text box, add a port range (for example, type
5000-5020), and then click OK.

so I added the port range 5000-5020. Any other suggestion, please?

> The server ports typically should be completely blocked from Internet
> exposure on most home systems. Additionally running services should be
> reduced to a bare minimum of what is required on the system.
>
> A good list of service definitions and what you need is here:
>
> http://www.ss64.com/ntsyntax/services.html
> http://inside.bard.edu/~winig/BlackViper.doc


Thanks. It's still difficult for me to decide which services are not
essential...
>
> A final step is needed. You should block all ports at your firewall not
> required. Most home users will want to block all inbound connections
> below 1024. Additionally you should only allow inbound connections to
> those ports you set following the MS procedure above, and block other
> communication.
>
> Without knowing a bit more about your firewall choices or your explicit
> requirements it is a bit difficult to provide precise guidance.


Thanks, You have been very very helpful!


 
Reply With Quote
 
Nick
Guest
Posts: n/a
 
      10-18-2005

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:E5J%e.5741$JY6.4756@trnddc02...
> From: "Nick" <(E-Mail Removed)>
>
> Hi Nick:
>
> The objective is to block ports that are open on the LAN side. Running

NETSTAT -AN and/or
> TCPVIEW you can determine what open ports are "listening" for

communication.
>
> So for example if you have a BootP-TFTP Daemon loaded on the LAN, you

would want to block
> UDP ports 67 and 69.


Netstat - an gives me the following:

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1183 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1184 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 24.87.130.73:139 0.0.0.0:0 LISTENING
TCP 24.87.130.73:445 24.87.255.171:2811 ESTABLISHED
TCP 24.87.130.73:1183 64.59.144.76:119 ESTABLISHED
TCP 24.87.130.73:1184 64.59.144.76:119 ESTABLISHED
TCP 127.0.0.1:1042 0.0.0.0:0 LISTENING

where 24.87.130.73 is my TCP/IP address.
Should I close the ports: 135, 139, 445, please?

Thanks
Nick


 
Reply With Quote
 
Nick
Guest
Posts: n/a
 
      10-18-2005

"Unruh" <(E-Mail Removed)> wrote in message
news:dhnrog$9iv$(E-Mail Removed)...
> >Hi Nick:

>
> >The objective is to block ports that are open on the LAN side. Running

NETSTAT -AN and/or
> >TCPVIEW you can determine what open ports are "listening" for

communication.
>
> >So for example if you have a BootP-TFTP Daemon loaded on the LAN, you

would want to block
> >UDP ports 67 and 69.

>
> >You don't need to look at all the 65536 (2^16) ports. Just the ports on

the LAN side that
> >are listening for communication.

>
> Better yet, why listen. this is a weird process. You run one program to
> listen to a port and then run another to block that port.


Will you be more specific, please?

Thanks
Nick


 
Reply With Quote
 
Nick
Guest
Posts: n/a
 
      10-25-2005

"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Nick wrote:
>
> > Hi
> >
> > As there are over 65000 ports in the TCP/IP stack, which ones are the

most
> > necessary ports for a homeuser and how to close the rest of the ports?

My
> > PC is connected to internet via a router and a cable modem. I run ZA
> > firewall and BHODemon 2.0 thanks to the help from Mr.Lipman. Here is a
> > ports link I found online:
> > http://www.iss.net/security_center/a...ts/default.htm
> >
> > Thanks in advance!
> > Nick

>
> Hum. I assume you are running a hostbased firewall with no server ports
> since you said you are a "homeuser". I am not familiar with any of the
> WinFirewalls but I will assume it is statefull (it really is important to
> know whether it is a statefull or a packet filtering firewall as the
> configurations will be different) However, since most firewalls now-a-days
> are statefull or better your ZA firewall is probably *not* a packet
> filtering firewall (which is good because packet filter firewalls
> suck ).


Yes, I use ZA and you are saying that ZA is a stateful firewall but not a
packet filtering firewall. Are stateful/stateless and packet filtering two
different things? I checked my security+ book regarding this, but all I
could find is the following:
- stateful packet filtering is a filtering technique that records the state
of a connection between an internal computer and an external server and
makes decisions based on the connection as well as the rule base (?).
- stateless packet filtering is a filtering technique that permits or denies
a packet based strictly on the rule base.


>
> Now the next question. Do you have any *other* computers on your home LAN?


I have my computer, my daughter's computer and my laptop. They were all
connected to a 4-port GNet router. The router was connected to a modem
cable. I do not use the router at the moment because all of a sudden it
blocked my connection to the internet and I do not know how to configure it.
Maybe it's broken. I do not have the phone number of the store I bought it
from either. Anyway, right now I have only my computer connected directly to
the modem and ZA firewall as well as BHO Demon 2.0, Symantec Antivirus,
Spybot, and Ad-Aware SE Professional.

> If not then you can simply allow all outgoing (statefull) connections and
> deny all incoming (if you do have more than one home computer please reply
> back and we can talk about that). Now remember that your host based
> firewall is statefull so incoming data (ports) will be allowed to
> communicate with you provided you initialized the connection (started the
> connection). I works like this (Warning very, very basic description

below)
>
> You are at home an open your browser and type the url for www.bbc.com:
>
> Your browser gets an open port in the defined ephemeral (basically client
> ports) range. Let say it is port 25,000 TCP. Next the PC sends a packet
> from your IP and your client port number 25000 going to the IP of
> www.bbc.com port 80 (www server port). Your statefull firewall records

this
> to allow www.bbc.com port 80 to reply back to you on your IP and your port
> 25,000 TCP....
>
> It is actually much more complicated then this there are things like TCP
> three way handshake, negotiation of window sizes, RST, ACK, NACK, etc,

etc,
> etc...
>
> Anyway to summarize you can simply allow all access out of your computer
> going anywhere but deny all incoming (Again, only if you are running a
> statefull firewall and you do not have more than one computer on your home
> network). The reason I ask you about the number of computers on your home
> network is because you *might* want to have a domain or filesharing, etc
> capabilities between your home computers.
>
> There are a couple of things worth mentioning. There is a special address
> (interface) called a "loopback". There are some special things to consider
> here but, I bet the WinFirewall you are using probably does it for
> you....so I would not worry.


127.0.0.1

>
> Again, realize that I generalized a lot here for simplicity sake (and I

hate
> typing)....
>
> Anyway good luck,
> Imhotep


Thanks
Nick


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Type of actual ports is not compatible with type of ports of entity. mreister VHDL 1 05-25-2010 11:30 AM
How to close a TCP socket? (TCPSocket#close doesn't close it) IƱaki Baz Castillo Ruby 7 01-12-2010 01:32 PM
Recommendations Please for a PCI card w/ two USB 2 Ports and FireWaire Ports Mike Digital Photography 27 02-26-2006 12:54 AM
Unnecessary Network trafic generated between only two comp out of =?Utf-8?B?bWlja3l0ZWpzaW5naEB5YWhvby5jb20=?= Wireless Networking 1 10-29-2004 09:49 AM



Advertisments